We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Protecting Your Company from the EU Data Police: The EU-US Privacy Shield

The EU strictly controls outbound transfers of personal data. U.S. companies must therefore move cautiously when transferring data from the EU to their U.S. servers. “But it’s my data. And I’m not publishing it.” The EU doesn’t seem to care. Until last February, this wasn’t a big problem because U.S. companies could easily comply with EU rules by self-certifying under a protocol known as the EU Safe Harbor Framework. From Microsoft to Uber to app startups, this worked great for everyone. Then the European Union Court of Justice crashed the party by striking down the Safe Harbor, leaving a chasm of uncertainty for U.S. companies wishing to transfer EU data to their U.S. servers.

In an impressive (and rare) display of efficiency, the EU and U.S. quickly filled that chasm with a new regime known as the EU-U.S. Privacy Shield to replace the now-defunct Safe Harbor with . . . another safe harbor. As with the Safe Harbor Framework, U.S. companies take advantage of the Privacy Shield by self-certifying with the U.S. Department of Commerce that they are adhering to certain rules and guidelines regarding transfers of EU data. Like clockwork, on August 1, 2016, the U.S. Department of Commerce began accepting those certifications.

Sound familiar? The Talking Heads might call the new Privacy Shield “same as it ever was.” And they would be mostly right. But the new Privacy Shield does differ from the old Safe Harbor in some important ways.

Perhaps most notably, the Privacy Shield effectively deputizes the U.S. Department of Transportation and Federal Trade Commission to enforce Privacy Shield violations, like when a company fails to comply with the terms of its own certification. But that’s okay because U.S. agencies rarely overstep their regulatory authority, right? I mean, what could go wrong? Stay tuned on that. And even if the FTC decides to imitate the Consumer Financial Protection Bureau, U.S. companies engaging in significant EU data transfers have little choice but to self-certify under the Privacy Shield. The ability of a business to use the U.S. as a hub for a global enterprise inevitably requires the transfer of EU data; unless you are willing to forego the European market, the Privacy Shield will become part of your company’s compliance plan.